use of org.apache.druid.server.security.Access in project druid by druid-io.
the class RangerDruidAccessRequest method authorize.
@Override
public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action) {
if (authenticationResult == null) {
throw new IAE("authenticationResult is null where it should never be.");
}
Set<String> userGroups = null;
if (useUgi) {
UserGroupInformation ugi = UserGroupInformation.createRemoteUser(authenticationResult.getIdentity());
String[] groups = ugi != null ? ugi.getGroupNames() : null;
if (groups != null && groups.length > 0) {
userGroups = new HashSet<>(Arrays.asList(groups));
}
}
RangerDruidResource rangerDruidResource = new RangerDruidResource(resource);
RangerDruidAccessRequest request = new RangerDruidAccessRequest(rangerDruidResource, authenticationResult.getIdentity(), userGroups, action);
RangerAccessResult result = rangerPlugin.isAccessAllowed(request);
if (log.isDebugEnabled()) {
log.debug("==> authorize: %s, allowed: %s", request.toString(), result != null ? result.getIsAllowed() : null);
}
if (result != null && result.getIsAllowed()) {
return new Access(true);
}
return new Access(false);
}
use of org.apache.druid.server.security.Access in project druid by druid-io.
the class BasicRoleBasedAuthorizerTest method testAuth.
@Test
public void testAuth() {
updater.createUser(DB_AUTHORIZER_NAME, "druid");
updater.createRole(DB_AUTHORIZER_NAME, "druidRole");
updater.assignUserRole(DB_AUTHORIZER_NAME, "druid", "druidRole");
List<ResourceAction> permissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE));
updater.setPermissions(DB_AUTHORIZER_NAME, "druidRole", permissions);
AuthenticationResult authenticationResult = new AuthenticationResult("druid", "druid", null, null);
Access access = authorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertTrue(access.isAllowed());
access = authorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertFalse(access.isAllowed());
}
use of org.apache.druid.server.security.Access in project druid by druid-io.
the class BasicRoleBasedAuthorizer method authorize.
@Override
@SuppressWarnings("unchecked")
public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action) {
if (authenticationResult == null) {
throw new IAE("authenticationResult is null where it should never be.");
}
Set<String> roleNames = new HashSet<>(roleProvider.getRoles(name, authenticationResult));
Map<String, BasicAuthorizerRole> roleMap = roleProvider.getRoleMap(name);
if (roleNames.isEmpty()) {
return new Access(false);
}
if (roleMap == null) {
throw new IAE("Could not load roleMap for authorizer [%s]", name);
}
for (String roleName : roleNames) {
BasicAuthorizerRole role = roleMap.get(roleName);
if (role != null) {
for (BasicAuthorizerPermission permission : role.getPermissions()) {
if (permissionCheck(resource, action, permission)) {
return new Access(true);
}
}
}
}
return new Access(false);
}
use of org.apache.druid.server.security.Access in project druid by druid-io.
the class ConfigResourceFilter method filter.
@Override
public ContainerRequest filter(ContainerRequest request) {
final ResourceAction resourceAction = new ResourceAction(new Resource("CONFIG", ResourceType.CONFIG), getAction(request));
final Access authResult = AuthorizationUtils.authorizeResourceAction(getReq(), resourceAction, getAuthorizerMapper());
if (!authResult.isAllowed()) {
throw new ForbiddenException(authResult.toString());
}
return request;
}
use of org.apache.druid.server.security.Access in project druid by druid-io.
the class DatasourceResourceFilter method filter.
@Override
public ContainerRequest filter(ContainerRequest request) {
final ResourceAction resourceAction = new ResourceAction(new Resource(getRequestDatasourceName(request), ResourceType.DATASOURCE), getAction(request));
final Access authResult = AuthorizationUtils.authorizeResourceAction(getReq(), resourceAction, getAuthorizerMapper());
if (!authResult.isAllowed()) {
throw new ForbiddenException(authResult.toString());
}
return request;
}
Aggregations